Password management for iPhone, iPad, PC & Mac

I have been pretty good at recalling a range of passwords across a large number of systems but as I age my memory ain’t what it used to be.

So this morning I thought I should look for an iPhone and iPad password manager that would also have a local PC application. Sounds like something a lot of folks would be wanting.

Google “iphone pc password manager” and the list was lengthy. So some quick culling was in order.

What did I really want?  An application that would securely store passwords with the details of where the password is used. Compatible and transferable / sync’d with iPhone, iPad, Mac, and PC.

First up was http://www.logonce.com/toolbar/iphone.htm but I have concerns that it is a browser plugin on the PC or a hosted system. The opportunity for IE to be hacked is pretty high as is the thought of having my passswords stored in the cloud. Hmm…  might come back if there’s nothing else.

Second up was eWallet which reads really well but put me off with the $20 price tag plus another $10 to get the iPhone version. Bundle it or something guys! Having looked further it appears that this is around the market price so I’ll keep it in the list for the moment.

Ok, I browsed a bit more and located KeePass and it is opensource, but the iPhone extensions are not made in house and are out of date. Probably good for PC but does not fit the other criteria.

Hmmm..  I think Ascendo DataVault is looking good with both desktop and iPhone iPad but I cannot find the prices. Weird site setup. If you click on Products you get the Blackberry option with a Buy Now and all the variants but no Buy option. You have to go to the home page and select from the right menu to get the correct links. In any case $10 for desktop and $10 for iOS devices.

In a similar style is 1Password which apparently has all the platforms covered. $30 for the Windows version and $15 on iOS which is deader than DataVault.

Another one that will make my short list is Strip. Not yet on all platforms but close and should be classed with the above.

SplashID is another that covers all the platforms that I need. Alongside this is mSeven Password Manager.

Ultimate Password Manager for iPhone and iPad looks like a nice app for those platforms but the only sync process is via DropBox. Not one for me.

Wallet Pro for iPhone (and Windows phones) is one that I would say is still early days but it is another cloud style offering which I do not want.

I did find links via Google and from this review listing at BrightHub but given that the review appeared to have been written by someone not paying any attention to detail I would not rely on it.  One of the reviews rates as “Overall, this is a well done password manager app for your iPhone.”  Someone is confused as the link and the maker of Skeleton Key have it listed as a GAME for the iPhone!

RoboForm is another one that stores in an online account so that sync’ing takes place across the platforms. Password Touch is another one alongside My Eyes Only which gave me a chuckle with their “Click below to download your 15 day trail.” misspelling (do I want to walk for 15 days on a trail?). Aside from this MEO relies on wifi and Apple Bonjour and another of their own products. This must increase the risk of compatibility issues over time as well as still being cloud oriented.

Another one that will make the list is SafeWallet although I am not impressed with their website, there is an active support forum.

I really want something that does not use the cloud.

 

Ok, so I have a shortlist in no particular order:

  1. mSeven Password Manager
  2. SplashID
  3. 1Password
  4. Strip
  5. Ascendo DataVault
  6. eWallet
  7. SafeWallet

I’ll take this off-line and do a review of features to try and get to a 2 or 3 way trial comparison.

WordPress Hacked and issues that raised

Wow!  It’s been a week of WordPress hacking MySQL backups and google trawling.

Late last week I was working on oscMax and getting along quite well when I went to write a blog entry and discovered that my blog pages had been converted to some islamic protest site.

Now just to make one point clear I am indifferent to religion, whatever works for you is fine, just dont try to force me to follow you because you must be right!

That said, this entry is about the crippling effect of a hack and links to what I read and used to rectify it.

Things I did wrong:

  1. WordPress was out of date an older 2.8.6 mu install (multi user because at one time I was going to host other blogs, but that has not happened)
  2. MySQL backup had been failing for some weeks after I did a password change (I knew what it was but let it go as a minor concern that I would get to, eventually)

Things I had done right:

  1. The area of the site that could be accessed was a sub-directory and the uploaded rubbish was contained within one directory
  2. I have rsync backups of the application directory running on a schedule

So I firstly closed up the site, renamed the compromised directory and contacted my ISP support to check logs. Their logs rotate to quickly and one of the security team was over-zealous and ‘helpfully’ removed all the files that were compromised….  without noting the date/time stamps on the files for me to be sure of when the hack occurred. I had noted that the files I saw were consistent with only being in place within the previous 24 hours but as he did not keep a list I dont know what else(if any) he found and deleted.

I’ll write up some separate blogs on the various topics I encountered on this week long journey elsewhere, for the moment these are the references that I have used this week that I found helpful. Most from WordPress codex:

Have a read of this first (dont do anything, read & think first): WordPress FAQ My Site Was Hacked

Download the latest version of WP from WordPress Download

For multi-user equivalent do this after installing WP: Create A Network

When it does not work: Debugging a WordPress Network

Noting that I updated this section with one of my issues: Debugging a WordPress Network « Other Lesser Known Issues

Have a read through this for ideas: Hardening WordPress « WordPress Codex

There are others that I am still reviewing, in particular the security oriented plug-ins, filter for the WordPress category for my latest posts on this topic.

My site is still not working the way I want and I found that the latest version for MU (or Network as it is now called) is apparently very dependent on Apache or other server settings. On SME Server it will not work (yet) while on my hosted site it works first time. Lost around 3 days on that issue alone.

Trying to reinstate the WordPress 2.8.6 mu from the WordPress Archives fails because the mu archive is the same as the WP archive. I’ve manually extracted the database tables/entries that I needed.

And of course I have changed lots of passwords and done lots of chmod’ing to tighten up the access.

osCmax Security contrib 2.5beta3

Update: Changes in osCmax between this version (beta3) and the RC1 release in early April 2011 has required an update to the osCmax-Security-2.5 bundle. The new information can be found in a post on osCmax Security 2.5RC1.

As I was working with the Check Permissions and the Site Monitor contribs I decided to save myself some longer term pain and bring the two together as the basis for my own Security setup for the sites that I manage.

In the process I have made changes that enable:

Single install process
Check Permissions saves the file and directory permissions to the database for consistent use
Check Permissions now recognises the Site Monitor files that need to be writable
Site Monitor & Check Permissions work with osCmax 2.5 (minor changes)
Both contribs appear within a dedicated Security menu option

You can grab a copy of osCmax-Security-2.5 from here and shortly from the osCmax projects area.

I’ve tested the quick install with a fresh copy of osCmax 2.5 and against an already installed ‘slow install’ with edits and it all seems ok.

Once installed just follow the instructions for each of the two contribs.

osCmax and Site Monitor

Site Monitor is a security monitoring and reporting tool for osCommerce.

I’ve been working through an update that will allow version 2.9 to work with osCmax version 2.5

I documented it in the osCmax wiki Site Monitor page last night including all the changes that I made to the files.

It should appear as a project / contrib in the osCmax web site in the next few days.

You can download my latest version of Site Monitor 2.9 for osCmax from here as well.